SEC540: Cloud Security and DevOps Automation

As a developer who is responsible for infrastructure and security, SEC540 was very useful for a broad, comprehensive overview of what I should be looking at, as well as deep dives on how to implement the solutions.

Kraig Hufstedler, Enterprise Holdings

SEC540 provides development, operations, and security professionals with a methodology to build and deliver secure infrastructure and software using DevOps and cloud services. Students will explore how the principles, practices, and tools of DevOps can improve the reliability, integrity, and security of on-premise and cloud-hosted applications.

Starting with on-premise deployments, the first two days of the course examine the Secure DevOps methodology and its implementation using lessons from successful DevOps security programs. Students will gain hands-on experience using popular open-source tools such as Puppet, Jenkins, GitLab, Vault, Grafana, and Docker to automate Configuration Management ("infrastructure as Code"), Continuous Integration (CI), Continuous Delivery (CD), containerization, micro-segmentation, automated compliance ("Compliance as Code"), and Continuous Monitoring. The lab environment starts with a CI/CD pipeline that automatically builds, tests, and deploys infrastructure and applications. Leveraging the Secure DevOps toolchain, students perform a series of labs injecting security into the CI/CD pipeline using a variety of security tools, patterns, and techniques.

An Amazon Web Services (AWS) account is required to do hands-on exercises during this course. Students must create an AWS account prior to the start of class. Your ability to execute the hands-on exercises will be delayed if you wait to set up the AWS account in class.

The estimated AWS cost for running the lab environment is $20 per week. Costs are significantly less for free-tier accounts.

Optional Microsoft Azure bonus challenges are available to students. Completing the bonus requires students to create a Microsoft Azure account prior to the start of class.

The estimated Azure cost for running the lab environment is $20 per week. Eligible free-tier accounts receive $200 in Azure credits (subject to verification and approval)

Course Syllabus

SEC540.1: Introduction to Secure DevOps

Overview

DEV540 starts by introducing DevOps practices, principles, and tools. We will examine how DevOps works, how work is done in DevOps, and the importance of culture, collaboration, and automation.

Using case studies of DevOps "Unicorns" - the Internet tech leaders who have created the DevOps DNA - we'll consider how and why these leaders succeeded and examine the keys to their DevOps security programs.

We'll then look at Continuous Delivery, which is the DevOps automation engine. We'll explore how to build up a Continuous Delivery or Continuous Deployment pipeline, including how to fold or wire the DevSecOps security controls into the Continuous Delivery pipeline, and how to automate security checks and tests in Continuous Delivery.

Exercises

Exploring CI/CD Tools and Pipelines

Deployment Kata

Pre-Commit Security: Git Hooks and Security Unit Testing

Automating Static Analysis in CI

Automating Dynamic Analysis in CI/CD

NetWars (Day 1): Secure DevOps Bonus Challenges

CPE/CMU Credits: 8

Topics

Introduction to DevOps

Case Studies on DevOps Unicorns

Working in DevOps

Security Challenges in DevOps

Building a CD Pipeline

DevOps Deployment Data

Secure Continuous Delivery

Security in Pre-Commit

Security in Commit

Security in Acceptance

SEC540.2: Moving to Production

Overview

Building on the ideas and frameworks developed in Section 1 of the course, and using modern automated configuration management tools like Puppet, Chef, and Ansible, you'll learn how secure Infrastructure as Code allows you to quickly and consistently deploy new infrastructure and manage configurations.

Because the automated CD pipeline is so critically important to DevOps, you'll also learn to secure the pipeline using a variety of defensive approaches.

As the infrastructure and application code moves to production, we'll spend the second half of the day exploring container security issues associated with tools such as Docker and Kubernetes, as well as how to protect secrets using Vault and how to build continuous security monitoring using Grafana, Graphite, and StatsD.

Finally, we'll discuss how to build compliance into Continuous Delivery, using the security controls and guardrails that have been built in the DevOps toolchain.

SEC540.3: Moving to the Cloud

Overview

Observing DevOps principles, you'll learn to deploy infrastructure, applications, and the CI/CD toolchain into the cloud. This section starts with an overview of Amazon Web Services (AWS) and introduces the foundational tools and practices you'll need to deploy an automated infrastructure pipeline to the AWS cloud.

Students spend the second half of the day scanning and testing their cloud infrastructure code for common cloud misconfiguration vulnerabilities. Correcting and committing infrastructure code changes will trigger an automated infrastructure pipeline to harden the cloud infrastructure code.

SEC540.4: Cloud Application Security

Overview

In this section, you'll learn to leverage cloud application security services to ensure that applications have appropriate encryption, authentication, authorization, and access control, while also maintaining functional and high-availability systems.

Starting with cloud data protection, we will explore the various encryption services and how to implement secrets management in the cloud. Leveraging that knowledge, students will learn to protect static website content served by a Content Delivery Network (CDN) using private key signing.

The second half of the day explores the world of microservices, protecting APIs with an API Gateway, and deploying serverless functions to manage authorization, data entitlements, and access control.

Exercises

Encrypting Application Secrets with KMS and the SSM Parameter Store

Securing CloudFront Content with Signed URLs

Protecting REST Web Services with API Gateway

Protecting APIs with Lambda and JSON Web Tokens (JWT)

NetWars (Day 4): Cloud Application Security Bonus Challenges

CPE/CMU Credits: 8

Topics

Data Protection

Data Storage (S3, RDS, DynamoDB)

Secrets Management

Approaches to Secrets Management

Key Management Service

Third-Party Solutions

Secure Content Delivery

Introduction to Content Delivery Networks

Restricting Origin Access with Origin Access Identities

CloudFront Trusted Signing and Access Control with Signed Cookies and URLs

SEC540.5: Cloud Security Automation

Overview

Expanding on the foundation of the previous sections, DevSecOps practitioners shift their focus in this course section to leveraging cloud services to automate security tasks. Students start by deploying a security path to an application using blue/green environments to minimize downtime.

Next, we review deploying and configuring a cloud web application firewall with monitoring, attack detection, and active defense capabilities to catch and block bad actors. Taking this concept to the next level, students finish off the course by building custom monitoring, detection, and enforcement of cloud compliance policies and hardening guidelines.

Additional Information

Laptop Requirements

Laptop Requirements

Plan to arrive early on Day 1 (8:30 AM local time) for lab preparation and setup. During this time, students can confirm that their Amazon Web Services (AWS) account is properly set up, ensure laptops have virtualization enabled, copy the lab files, and start the Linux virtual machine.

The instructor will be available to assist students with laptop prep and set-up from 8:30 - 9:00 AM. Class lecture begins at 9:00 AM (excludes vLive, Mentor, and OnDemand).

!!! IMPORTANT NOTICE !!!

It can take more than 24 hours for a new AWS free-tier account to become active. Please do the following at least one week prior to the start of class:

Register for a personal free-tier account.

Activate your new account.

Log in to the AWS Console with your root account.

Browse to the EC2 Service and verify that you see the dashboard (not an activation screen).

In the top right-hand corner of the page, select one the following supported regions (preferably the region closest to where the course is running):

U.S. East (Northern Virginia)

U.S. West (Oregon)

E.U. (Ireland)

Asia Pacific (Tokyo)

6. From the left navigation bar, select "Limits."

7. Verify that you have at least 5 t2.micro instances available

8. If your limits are less than 5 t2.micro instances, please start by creating a new t2.micro instance. Creating a new instance often causes the limits to increase automatically. If your limits do not automatically increase (wait 30 minutes to check again), request an increase to open a ticket with the AWS support team. More details can be found in the AWS EC2 Service Limits documentation.

BRING YOUR OWN LAPTOP CONFIGURED USING THE FOLLOWING DIRECTIONS:

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly:

Download and install VMware Workstation, VMware Fusion, or VMware Workstation Player on your system prior to the start of the class.

If you own a licensed copy of VMware, make sure it is at least VMware Workstation Pro 14.0, VMware Fusion 10.0, or VMware Workstation Player 14.0.

If you do not own a licensed copy of VMware, download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Mandatory Host Hardware Requirements

CPU: 64-bit 2.5+ GHz multi-core processor or higher

BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI

Prerequisites

A basic understanding of application security, common attacks, and vulnerabilities (e.g., the OWASP Top 10)

Familiarity with Agile development and Agile project/product management practices

Familiarity with Linux command shells and associated commands

The ability to understand basic coding concepts

Hands-on Labs

DEV540 goes well beyond traditional lectures and immerses students in hand-on application of techniques in each section. Each lab includes a step-by-step guide to learning and applying hands-on techniques, as well as a "no hints" approach for those who want to stretch their skills and see how far they can get without following the guide. This allows each student, regardless of background, to choose a level of difficulty - always with a frustration-free fallback path.

DEV540 also offers students an opportunity to participate in NetWars Bonus Challenges each day. The gamified environment allows students to compete against each other in a race to win the DEV540 Challenge Coin, while also providing more hands-on experience with the cloud and DevOps toolchain.

Press & Reviews

"DEV540 helped me understand the complex ecosystem of DevOps. I came away with a well-rounded understanding of how the different technologies work together and how security needs to be tied into the CI/CD aspect. More than that, I found a new enthusiasm to learn and explore DevOps. Eric Johnson, our instructor was the best person to teach this course as he is a practitioner of these technologies and he very gladly gave his time to help and answer questions during the labs. The labs were very well designed to drill the concepts home." - Uday Pothakamury, Citi

"It has helped me get a better handle on the SEC DEV OPS concepts." - Fausto Franco, NYS ITS

"Definitely makes security in Dev Ops more relatable and concrete. Love that we are asked to fix issues." - Stephen Germain, Disney

Authors Statement

"DevOps and cloud are radically changing the way that organizations design, build, deploy, and operate online systems. Leaders like Amazon, Etsy, and Netflix are able to deploy hundreds or even thousands of changes every day, continuously learning, improving, and growing - and leaving their competitors far behind. Now DevOps and the cloud are making their way from Internet 'Unicorns' and cloud providers into enterprises.

"Traditional approaches to security can't come close to keeping up with this rate of accelerated change. Engineering and operations teams that have broken down the 'walls of confusion' in their organizations are increasingly leveraging new kinds of automation, including Infrastructure as Code, Continuous Delivery and Continuous Deployment, microservices, containers, and cloud service platforms. The question is: Can security take advantage of the tools and automation to better secure its systems?

"Security must be reinvented in a DevOps and cloud world."

- Ben Allen, Jim Bird, Eric Johnson, and Frank Kim

Additional Resources

Take your learning beyond the classroom. Explore our site network for additional resources related to this course's subject matter.